A recent security vulnerability in the 7-Zip archiver tool, CVE-2025-0411, was exploited in the wild to distribute the SmokeLoader malware. This flaw, which has a CVSS score of 7.0, allows remote attackers to execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09.
According to Trend Micro security researcher Peter Girnus, Russian cybercrime groups actively exploited this vulnerability through spear-phishing campaigns using homoglyph attacks to spoof document extensions. It is suspected that this flaw was used in a cyber espionage campaign targeting governmental and non-governmental organizations in Ukraine amid the ongoing conflict with Russia.
The vulnerability bypasses mark-of-the-web (MotW) protections by double archiving contents using 7-Zip, allowing threat actors to craft archives containing malicious scripts or executables. The flaw was first detected in the wild on September 25, 2024, leading to the distribution of SmokeLoader, a loader malware often used to target Ukraine.
Phishing emails containing specially-crafted archive files were used in the attack, leveraging homoglyph attacks to disguise the inner ZIP archive as a Microsoft Word document file. The compromised email accounts associated with Ukrainian governing bodies and businesses added authenticity to the phishing messages, leading to the execution of internet shortcut files pointing to attacker-controlled servers.
To mitigate the risks associated with this vulnerability, users are advised to update their 7-Zip installations to the latest version, implement email filtering features, and disable the execution of files from untrusted sources. The campaign targeting Ukrainian organizations highlights the importance of cybersecurity measures, especially for smaller local government bodies that may be overlooked by threat actors.
Source link